Analysis
-
max time kernel
368s -
max time network
1790s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
23-06-2024 04:58
Static task
static1
Behavioral task
behavioral1
Sample
Wave.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Wave.exe
Resource
win7-20231129-en
Behavioral task
behavioral3
Sample
Wave.exe
Resource
win10-20240404-en
Behavioral task
behavioral4
Sample
Wave.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral5
Sample
Wave.exe
Resource
win11-20240508-en
General
-
Target
Wave.exe
-
Size
505KB
-
MD5
634012a39686513995ecbbaf04235a0a
-
SHA1
6204df4370ed114bde2caac305f96b1954e68504
-
SHA256
134bc640e8cc14d6c30f91407a8c812a63319072343bbf8a6bc2aaf3a902d44b
-
SHA512
b8881eb85dc001d4c256a60dbc141592f89ffded8f90d2240c80d6af6468a34e1ac52e288170c0296cf1afe735e7ef7da6a4738adcfc253fded53c7c56ebe002
-
SSDEEP
12288:TyveQB/fTHIGaPkKEYzURNAwbAg8ox4CA9ndmc:TuDXTIGaPhEYzUzA0qV9nkc
Malware Config
Extracted
discordrat
-
discord_token
MTI1NDI4MDkwNjYzODc1Mzg2Mw.GB5zNE.lgu4CSBwMUVxaeb6e0u9sFYW6gLtr8IglmywhI
-
server_id
1189676766084735048
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Executes dropped EXE 1 IoCs
Processes:
Client-built.exepid process 1408 Client-built.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Client-built.exedescription pid process Token: SeDebugPrivilege 1408 Client-built.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
Wave.exedescription pid process target process PID 4268 wrote to memory of 1408 4268 Wave.exe Client-built.exe PID 4268 wrote to memory of 1408 4268 Wave.exe Client-built.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Wave.exe"C:\Users\Admin\AppData\Local\Temp\Wave.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1408
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
78KB
MD5c2207566970ad0379a62da59e3c4caff
SHA159759d884744c5c025fe800a0b86b63555f7bfe9
SHA25661247d55a049a1a16833a6be90b50ceef20340db7b31181b07d95cbc345dd1ba
SHA5122b6a2684c1a5db78fc1080c26b7263bb5c04eb760d142369cd4d987b35ff9fd76092fe3ceae0633f26f98a12b4d1b5b4aca7071a7022d22d264237dbf1a488bc